Ciscoder's Network

Search this site

Discussion

I thought I was use this section for articles. Needs some work, and would prefer a Forum style config.
Subscribe to posts

How about a remote Cisco sniffer?

posted Jun 7, 2010, 9:41 PM by Jason Gomes

 

Here goes my first post..

 

I remember once I had the task to capture site-to-site traffic in a hub-and-spoke Frame-relay network.

 

SPAN on the Hub routers switchport / VLAN does capture Hub traffic to/from all sites, but what about site-to-site?

 

This was before the day of Netflow tools, but in my case capturing application ports and IP's were not enough. I needed to drop in a probe to measure site-to-site application performance (namely VoIP)

 

This was also before the day of VRF light, where I could probably do some sort of hair pin VLAN and router on a stick. Then I found this great solution to SPAN-like a routers Serial interface.

 

Heres link - very hard to find in hind-sight. The feature is called Traffic-Export.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_rawip.html

 

It resolved my immediate issue. The Probe was able to captures all frames (not just headers like netflow), and client very happy.

 

On a 2621XM, I saw hardly any router performance degradation; but in those days a 2Mb frame circuit was the bomb.

 

Oh, and forgot to mention the probe MAC needed to be directly connected (not routed)

 

Well, that was a mouth full of history.

 

 

I pondered the thought one day you could ran a trace on the router (maybe saved to flash:) and then TFTP it over for capture software import. When TCLSH launched in IOS (or at least when I finally found out about it) I thought this was the chance. Explored and failed, but did gain valuable insight in to TCLSH potential. Port scanner on Cisco router anyone?

 

Unfortunately, Cisco never caught on whilst other Vendor software like Netscreen (Screen OS) did this out of the box on a web GUI.

 

Although I have had some great success with Netflow (open source and commercial) - I still would love to ran a quick trace at times to import into Ethereal (arrg.. I mean Wireshark) to look at TCP performance anomalies.

 

 

Well !!!  Just the other day I found something that inspired me to create this web-site. Yes, I must be a real lamer if a Cisco feature excited me enough to finally start blogging. Not only did it inspire me to finally ‘share’ my experience and give back, I have decided to go back in to software development working on some ‘cloud’ computing experiments. Finally, Google give JAVA hosting to the tinkers like me, with the likes of AppEngine and Bigtables – so why not a better place to start right now.

 

Here’s it comes..

 

Flexible Netflow

 

http://www.cisco.biz/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/product_data_sheet0900aecd804b590b.html

 

At first glance, loos a bit like Cisco sales jargon – and simply a ‘beef up’ to support difference collector profiles, which was a lacking feature in the original Netflow IOS CLI constructs.

 

Then it hit me mockering around one day with on my home router:-

SECTIONS OF PACKECT FOR DEEP INSPECTION!!!!

 

Within a few minutes, I was able to dump the first few hundred packets of a few Port 80 sessions. Probably my three and a half year playing a Nickjr.com/playtime flash game at the time – but what the heck, a success!!

 

Now for the formatting needs a good decoder, but see a lot of potential.  Dumping to the flash: file system and TFTP’ing it across is one thing, by what about sending it straight over to the cloud for storage and reporting? You do the math.

 

I have saved a snippit (the first in fact) in the resource section of the new website.

 

Cheers,

 

Jason

 

posted Jan 7, 2010, 2:07 PM by Jason Gomes   [ updated Jun 7, 2010, 10:40 PM ]

 

 

1-2 of 2